Risk &

Compliance
Management
Contributing editor
Daniel Lucien Bühr

2018 © Law Business Research 2018

 Risk & Compliance
Management 2018
Contributing editor
Daniel Lucien Bühr
Lalive

Reproduced with permission from Law Business Research Ltd 

This article was first published in June 2018 
For further information please contact editorial@gettingthedealthrough.com

Publisher The information provided in this publication is

Law
Tom Barnes general and may not apply in a specific situation.
tom.barnes@lbresearch.com Business Legal advice should always be sought before taking
Research any legal action based on the information provided.
Subscriptions This information is not intended to create, nor does
James Spearing Published by receipt of it constitute, a lawyer–client relationship.
subscriptions@gettingthedealthrough.com Law Business Research Ltd The publishers and authors accept no responsibility
87 Lancaster Road for any acts or omissions contained herein. The
Senior business development managers London, W11 1QQ, UK information provided was verified between April
Adam Sargent Tel: +44 20 3780 4147 and May 2018. Be advised that this is a developing
adam.sargent@gettingthedealthrough.com Fax: +44 20 7229 6910 area.

Dan White © Law Business Research Ltd 2018

dan.white@gettingthedealthrough.com No photocopying without a CLA licence. Printed and distributed by
First published 2017 Encompass Print Solutions
Second edition Tel: 0844 2480 112
ISBN 978-1-78915-067-4

© Law Business Research 2018

CONTENTS

Global overview 5 Mexico43

Daniel Lucien Bühr Reynaldo Vizcarra, Jonathan Edward Adams and Lorena Castillo
Lalive Baker & McKenzie Abogados, SC

Argentina7 Nigeria47
Pedro Serrano Espelta and Gustavo Morales Oliver Babajide Ogundipe, Olatunde Ogundipe and Olajumoke Omotade
Marval, O’Farrell & Mairal Sofunde Osakwe Ogundipe & Belgore

Brazil12 Russia51
Bruno De Luca Drago and Fabianna Vieira Barbosa Morselli Alexey Borodak and Sergey Avakyan
Demarest Advogados Norton Rose Fulbright (Central Europe) LLP

China15 Spain56
Gary Gao Helena Prieto González, Beatriz Bustamante Zorrilla,
Zhong Lun Marta Sánchez Martín and Alejandro Ayala González
Garrigues
Germany18
Barnim von den Steinen Switzerland61
Rotthege | Wassermann Daniel Lucien Bühr and Marc Henzelin
Lalive
Greece23
Vicky Athanassoglou Turkey65
VAP Law Offices Ümit Hergüner and Zeynep Ahu Sazcı Uzun
Hergüner Bilgen Özeke Attorney Partnership
India29
Junia Sebastian, Arindam Basu and Richika LRS United Kingdom 70
ALMT Legal Dan Lavender, Matt McCahearty and Malcolm Walton
Macfarlanes LLP
Italy35
Andrea Fedi and Marco Penna United States 75
Legance – Avvocati Associati Keith M Korenchuk
Arnold & Porter
Japan40
Hiroyuki Nezu, Masataka Hayakawa, Kumpei Ohashi, Do DOJ policy and the ISO compliance standard overlap? 79
Teruhisa Toyama and Tadashi Yuzawa Daniel Lucien Bühr
Atsumi & Sakai Lalive

2 Getting the Deal Through – Risk & Compliance Management 2018

© Law Business Research 2018

 PREFACE

Preface
Risk & Compliance Management 2018
Second edition

Getting the Deal Through is delighted to publish the second edition

of Risk & Compliance Management, which is available in print, as an
e-book and online at www.gettingthedealthrough.com.

Getting the Deal Through provides international expert analysis in

key areas of law, practice and regulation for corporate counsel, cross-
border legal practitioners, and company directors and officers.

Throughout this edition, and following the unique Getting the Deal
Through format, the same key questions are answered by leading
practitioners in each of the jurisdictions featured. Our coverage this
year includes new chapters on China, Greece, India, Nigeria and
Turkey and an article, written by the editor, on the overlap between
the US Department of Justice's assessment of corporate compliance
programmes and the International Organization for Standardization's
guidance for compliance management systems.

Getting the Deal Through titles are published annually in print.

Please ensure you are referring to the latest edition or to the online
version at www.gettingthedealthrough.com.

Every effort has been made to cover all matters of concern to

readers. However, specific legal advice should always be sought from
experienced local advisers.

Getting the Deal Through gratefully acknowledges the efforts of all

the contributors to this volume, who were chosen for their recognised
expertise. We also extend special thanks to the contributing editor,
Daniel Lucien Bühr of Lalive, for his continued assistance with this
volume.

London
May 2018

www.gettingthedealthrough.com  3
© Law Business Research 2018
ALMT Legal INDIA
India
Junia Sebastian, Arindam Basu and Richika LRS
ALMT Legal
1 What legal role does corporate risk and compliance
management play in your jurisdiction?
Although, at present, India as a country is still awaiting comprehensive
legal guidelines with respect to corporate risk and compliance manage-
ment, in recent times, compliance with labour, industrial, financial and
corporate laws has gathered enormous momentum within the corpo-
rate sector.
Labour compliance
India being a country with a significant labour force, one of the major
challenges of any company in the corporate sector is with respect to
labour compliance. As labour law is considered a ‘specialised area’,
non-compliance of labour laws carries with it considerable legal impli-
cations and risks.
To keep up with the emerging needs with regard to corporate risk
and compliance management, companies in India need to establish
effective contract management with their employees and any other
related third parties as per the provisions of the Indian Contracts Act
1872.
Another integral part of corporate risk and compliance manage-
ment in India that has recently emerged is the aspect of pre-emptive
screening of employees. There are no dedicated laws governing the
pre-emptive screening of employees in India, hence, there are no
legal requirements for conducting background checks on prospective
employees, except in certain cases such as banks, schools, etc, under
certain notifications by various state governments within the country.
Financial compliance
In the wake of the Satyam scandal (a high-profile corporate scan-
dal affecting India-based company Satyam Computer Services in
2009 wherein the chairman, Mr Ramalinga Raju, confessed to hav-
ing manipulated the accounts to the tune of 70 billion rupees) along
with the collapse of some of the largest companies in the world, India
has brought in stringent financial compliance that is to be strictly
adhered to by every company. It is a well-known fact that India as a
country has a complex and bureaucratic accounting, tax and regula-
tory system, which makes it an onerous challenge for all companies to
remain compliant with each and every financial compliance required
by the applicable laws. However, the government has from time to time
relaxed many such regulations for ease of business and attracting for-
eign investments. For example, the Goods and Services Tax regime was
introduced in India on 1 July 2017 by subsuming dozens of state and
central indirect taxes to transform India into a single market and thus
promote the ease of doing business in India.
Corporate compliance
Besides compliance with labour and financial laws, companies are
also required to strictly adhere to all corporate compliance as per vari-
ous other laws including, but not limited to, the Companies Act 2013,
Reserve Bank of India guidelines, the Foreign Exchange Management
Act 1999, the Securities and the Exchange Board of India Act 1992.
However, the government has deregulated and relaxed various laws
for ease of business and promoting foreign investment in India. For
example, foreign direct investment in ‘single brand retail trading’ has
recently been allowed up to 100 per cent under the automatic route.
www.gettingthedealthrough.com 29
© Law Business Research 2018
2 Which laws and regulations specifically address corporate
risk and compliance management?
Keeping in mind the plethora of laws with regard to labour, financial
and corporate laws in India, which a company is required to be com-
pliant with, below are certain laws and regulations that we believe are
required to be complied with on the highest priority with respect to
each sector.
Labour law
There are specific central acts that are required to be strictly adhered
to by a company, which are mentioned below, but are not limited to:
• the Industrial Disputes Act 1947;
• the Employees State Insurance Act 1948;
• the Employees’ Provident Funds and Miscellaneous Provisions Act
1952;
• the Payment of Bonus Act 1965;
• the Factories Act 1948;
• the Contract Labour (Regulation and Abolition) Act 1970;
• the Child Labour (Prohibition and Regulation) Act 1986;
• the Maternity Benefit Act 1961;
• the Payment of Gratuity Act 1972; and
• the Sexual Harassment of Women at Workplace (Prevention,
Prohibition and Redressal) Act 2013.
As well as the abovementioned acts, there are certain state-specific
acts that are required to be adhered to by companies, such as the
Professional Tax Act and the Shops and Establishment Act that are
applicable to a particular state.
Financial and corporate compliance
When it comes to corporate and financial compliance, both compliance
and risk management go hand in hand. Below are some of the specific
regulations that are to be adhered to at the highest priority:
• the Companies Act 2013;
• the Income Tax Act 1961;
• the Reserve Bank of India and its subsequent guidelines;
• the Banking Regulation Act 1949;
• the Foreign Exchange Management Act 1999;
• the Securities and Exchange Board of India 1992 and its subse-
quent guidelines; and
• the Goods and Services Tax Act 2017.
The Competition Act 2002 also lays down several provisions to pro-
mote fair competition in the market and mitigate business-related
risks, though its applicability is dependent upon certain thresholds,
which are enumerated under this legislation.
3 Which are the primary types of undertakings targeted by the
rules related to risk and compliance management?
Risk and compliance management is significantly dependent on vari-
ous factors of a business such as the sector, size, scale, nature of the
business and the activities being carried out. Any legal person or entity
who indulges in any kind of commercial activities will have to adhere
to the rules of risk and compliance management, as may be applicable.
A good corporate governance policy is a commitment by an organisa-
tion to adopt various good ethical practices and values and this should
INDIA ALMT Legal
necessarily encompass the entire value chain of stakeholders, namely,
shareholders, management, employees, bankers, customers, vendors
and regulators.
Thus, all persons, organisations and undertakings are targeted at
varying degrees by the rules of risk and compliance management.
4 Identify the principal regulatory and enforcement bodies
with responsibility for corporate compliance. What are their
main powers?
The Indian legal system recognises sector-specific regulatory and
enforcement agencies and bodies that are responsible for corporate
compliance in a particular sector. The government of India has enacted
various acts, and inter alia created various statutory bodies to regulate
and implement the provisions specified therein. The following are a
few examples of the principal regulatory and enforcement bodies in
India with responsibility for corporate compliance:
• The Registrar of Companies (ROC) is the designated authority that
deals with the administration of the Companies Act 2013, and falls
under the ambit of the Ministry of Corporate Affairs. It is manda-
tory for companies incorporated under the Companies Act 2013
to file various forms, returns and documents with the ROC with
respect to their day-to-day corporate compliance and activities.
• The Reserve Bank of India (RBI) is the central bank of the country
and the key authority that lays down the compliance functions for
banks throughout India. The RBI, via its notification RBI/2006-
2007/335 dated 20 April 2007, has laid down certain mandatory
compliance functions including but not limited to strict obser-
vance of all statutory provisions contained in various legislations
such as Banking Regulation Act 1949, Reserve Bank of India Act
1934, Foreign Exchange Management Act 1999, Prevention of
Money Laundering Act 2002, etc, as well as ensuring observance of
other regulatory guidelines issued from time to time such as stand-
ards and codes prescribed by The Banking Codes and Standards
Board of India, Indian Banks Association, Foreign Exchange
Dealers Association of India, Fixed Income Money Markets and
Derivatives Association, etc, and also each bank’s internal policies
and fair practices code. The RBI also sets out the rules and regula-
tions for exchange control transactions in India, eg, foreign invest-
ment and outbound investment related regulations.
• The Securities and Exchange Board of India (SEBI) promotes and
regulates the securities market in India. In order to protect the
interests of investors, SEBI has laid down various compliances
required to be followed by listed entities. In addition to this, SEBI
has directed the stock exchanges to implement various measures
to ensure corporate compliances including inter alia setting up of
a separate monitoring cell to monitor compliances with the provi-
sions of corporate governance and listing of public issues.
• The Competition Commission of India was established under the
Competition Act 2002 to eliminate practices having adverse effect
on competition, to promote and sustain competition, and to pro-
tect interests of consumers and ensure freedom of trade by other
participants.
• The prime objective of the Enforcement Directorate is the enforce-
ment of two key acts of the government of India, namely, the
Foreign Exchange Management Act 1999 and the Prevention of
Money Laundering Act 2002. The officers of the Directorate per-
form an adjudication function so as to impose a penalty on persons
for the contravention of the said acts.
5 Are ‘risk management’ and ‘compliance management’
defined by laws and regulations?
The Indian laws have been designed to implement risk and compliance
management. While there is no specific law or regulation in India that
defines ‘risk management’ and ‘compliance management’, the same
has been widely recognised under various statutes in the manner that
has been described in earlier questions.
6 Are risk and compliance management processes set out in
laws and regulations?
Yes. As stated above, Indian laws set out various provisions for risk
and compliance management. For example, the Companies Act 2013,
requires a board of directors to develop and implement a risk manage-
ment policy and identify risks that may threaten the existence of the
30 Getting the Deal Through – Risk & Compliance Management 2018
© Law Business Research 2018
company. Further, the Companies Act 2013 has made the requirement
of compliance very explicit by stipulating a mandatory requirement of
positive affirmation from the directors as part of the directors’ respon-
sibility statement under section 134, stating that the directors have
devised a proper system to ensure compliance with the applicable laws
and that such systems are operating effectively.
It is to be noted that section 205 also requires a company secretary
to provide a report to the board about compliance with the provisions
of the said act, the rules made thereunder and other laws applicable to
the company.
The most significant regulation in this context is Regulation 27(2)
of the SEBI Listing Obligation and Disclosure Requirements (LODR)
Regulations 2015, which defined significant tighter personal responsi-
bility of top management for the accuracy of reported corporate gov-
ernance and inter alia stipulates the preparation of a compliance report
of all laws applicable to a company and the review of the same by the
board of directors periodically, as well as to take steps by the company
to rectify instances of non-compliance and to send reports on compli-
ance to the stock exchanges quarterly. The stock exchanges have been
directed by SEBI to set up a separate monitoring cell with identified
personnel to monitor compliance with the provisions of the revised
Regulation 27(2) of SEBI (LODR) 2015 on corporate governance and to
submit a consolidated compliance report to SEBI within 15 days from
the end of each quarter.
As per LODR, read with section 134(5)(f ) of the Companies Act
2013, the relevant provisions mandate the present corporate bodies to
incorporate and implement a legal compliance management system:
• Regulation 4(1) of LODR requires that the listed entity shall abide
by all the provisions of the applicable laws and other guidelines;
• Regulation 4(2)(f ) of LODR directs that the board of directors of
the listed entity shall ensure that a system for compliance with the
law and relevant standards are in place; and
• Regulation 17(3) of LODR provides that the board of directors
shall periodically review compliance reports pertaining to all
laws applicable to the listed entity, prepared by the listed entity,
as well as steps taken by the listed entity to rectify instances of
non-compliance.
There are a number of other acts and regulations besides the SEBI
guidelines such as the Information Technology Act 2000, Companies
Act 2013, etc, that mandate the corporate bodies both in public and
private sectors to maintain and conduct a periodic review of the regu-
latory functions and processes of the organisations to ensure that the
company’s goal, structure and ongoing operations are consistent with
the latest developments in business and corporate laws and regula-
tions. This then lowers the compliance risk profile, reduces fines, reas-
signs headcounts, enables a better and higher use of the limited law
department’s resources, saves measurable costs and improves effec-
tiveness and ensures due diligence.
7 Give details of the main standards and guidelines regarding
risk and compliance management processes.
There are no specific standards or guidelines regarding risk and
compliance management processes in India. However, the same has
been laid down in various forms of law and regulation. For exam-
ple, the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules 2011
state that companies must have ‘reasonable security practices and pro-
cedures’ and that companies are deemed in compliance if they have a
documented security programme with managerial, technical, organi-
sational and physical controls. ISO 27001 is provided as a reference
standard.
The basic guidelines for risk and compliance management pro-
cesses are:
• reporting: the reports from management to the board should, in
relation to the areas covered by them, provide a balanced assess-
ment of the significant risks and the effectiveness of the system of
internal control in managing the risks. Any significant control fail-
ings or weaknesses identified should be discussed in the reports,
including the impact that they have had, or may have, on the com-
pany and the actions being taken to rectify them; and
• roles and responsibilities: all employees have some responsibil-
ity for internal control as part of their accountability for achieving
ALMT Legal INDIA
objectives. The employees collectively should have the necessary
knowledge, skills, information and authority to establish, operate
and monitor the system of internal control.
A strong risk and compliance management system framework can
mitigate risks if it can:
• identify the risk inherent in achieving goals and objectives;
• establish risk appetite across the entire risk spectrum;
• establish and communicate risk management frameworks;
• build accurate and consistent risk assessment;
• establish and implement measurement reporting standards and
methodologies;
• build a risk profile;
• establish the key control processes, practices and reporting
requirements;
• monitor the effectiveness of control;
• ensure all the exposures are adequately identified, measured and
managed in accordance with board-approved frameworks;
• provide early warning signals;
• ensure risk management practices are adequate and appropriate
for managing the risks;
• report areas of stress where crystallisation of risks is imminent;
• present remedial actions to reduce or mitigate such risks;
• report on sensitive and key risk indicators;
• communicate with relevant parties;
• review and challenge all aspects of the company’s risk profile;
• advise on optimising and improving the company’s risk profile; and
• review and challenge risk management practices.
8 Are undertakings domiciled or operating in your jurisdiction
subject to risk and compliance governance obligations?
Yes, as explained above, undertakings operating in India are subject to
risk and compliance governance obligations. As per section 134(5)(f )
under the Companies Act 2013, the directors have to state in the yearly
directors’ responsibility statement that they have devised proper sys-
tems to ensure compliance with the provisions of all applicable laws
and that such systems were adequate and operating effectively.
On failure to comply with the above requirement, the company
shall be punishable with fines ranging from 50,000 rupees to 2.5 mil-
lion rupees and every officer of the company who is in default shall be
punished with imprisonment for a term of up to three years or with a
fine ranging from 50,000 rupees to 500,000 rupees, or with both.
Further, corporate governance lays down the foundation of a
properly structured board and strives for a healthy balance between
management and ownership that is capable of taking independent
decisions for creating long-term trust between the company and exter-
nal stakeholders of the company. It creates space for open dialogue by
incorporating transparency and fair play in strategic operations of the
corporate management. The significance of corporate governance lies
in:
• accountability of management to shareholders and other
stakeholders;
• transparency in basic operations of the company and integrity in
financial reports produced by the company;
• checks and balances as an integral part of good corporate
governance;
• adherence to the rules of company in law and spirit;
• code of responsibility for directors and employees of the company;
and
• open dialogue between management and stakeholders of the
company.
9 What are the key risk and compliance management
obligations of undertakings?
Key compliances under the Companies Act 2013 are as follows:
• consolidated financial statements are to be prepared where a com-
pany has subsidiaries and associates. Intermediary subsidiaries are
exempted provided shareholders of the parent have consented to
the same;
• uniform financial year has been implemented for all companies
as April to March. Specific approvals for deviation can be obtained
from the National Company Law Tribunal for certain classes of
companies;
www.gettingthedealthrough.com 31
© Law Business Research 2018
• as per section 138 of said Act and Rule 13 of Companies (Accounts)
Rules 2014, the following companies are required to appoint an
internal auditor in a board meeting:
• listed companies;
• a public company with a paid-up share capital of more than
500 million rupees and a turnover of 2 billion rupees, loans
and borrowings of more than 1 billion rupees and outstanding
deposits of more than 250 million rupees; and
• a private company with a turnover of 2 billion rupees, loans
and borrowings of more than 1 billion rupees;
• the provisions on reporting fraud have been laid down under sec-
tion 143(12) of the Act and provides that if the auditor of a com-
pany, in the course of the performance of their duties as auditor,
has reason to believe that an offence involving fraud is being or
has been committed against the company by officers or employ-
ees of the company, they shall report the matter to the central
government;
• as per section 204(1) of said Act, read with Rule 9 of the Companies
(Appointment and Remuneration of Managerial Personnel) Rules
2014, the following companies are required to obtain a secretarial
audit report:
• every listed company;
• every public company having a paid-up share capital of 500
million rupees or more; and
• every public company having a turnover of 2.55 billion rupees
or more.
Key compliances under the Foreign Exchange Management Act 1999:
• a foreign liabilities and assets return is required to be submitted
mandatorily by all companies resident in India that have received
foreign direct investment or made outward direct investment
(ODI) in any of the previous year or years, including the current
year; in other words, who holds foreign assets or liabilities in their
financial statements as of 31 March; and
• an Indian party or resident individual that has made an ODI has to
submit an annual performance report in Form ODI Part II to the
authorised dealer bank by 31 December every year in respect of
each joint venture or wholly owned subsidiary outside India.
Key compliances under the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or
Information) Rules 2011 (Data Protection Rules):
• any person or entity that collects, receives, stores, processes or
handles personal or sensitive personal information must provide a
privacy policy on the company’s website that should be accessible
to the provider of information;
• the Data Protection Rules mandate companies to obtain express
consent from the provider of sensitive personal information
regarding the purpose and use of the information. The consent can
be obtained through any electronic media;
• the company should ensure that the data providers are made aware
of the purpose for which the sensitive personal information is col-
lected, the intended recipients of the information, the agency col-
lecting the information, the agency retaining the information, etc.
Further, the data provider should be given an option not to provide
the information or to revise or withdraw the information;
• the companies must have ‘reasonable security practices and pro-
cedures’. The companies are deemed in compliance if they have
a documented security programme with managerial, technical,
organisational and physical controls. ISO 27001 is provided as a
reference standard; and
• all discrepancies or grievances reported to companies must be
addressed in a timely manner. Companies must appoint a griev-
ance officer and publish their name and contact details on the
company’s website. The grievance officer must redress all the data
subjects’ grievances within one month of receiving the grievance.
10 What are the risk and compliance management obligations
of members of governing bodies and senior management of
undertakings?
As per the Companies Act 2013, the board of directors is required to
develop and implement a risk management policy and identify risks
that may threaten the existence of the company. Further, the Act has
INDIA ALMT Legal
made the requirement of compliance very explicit by stipulating a
mandatory requirement of positive affirmation from the directors as
part of the directors’ responsibility statement under section 134, stat-
ing that the directors have devised a proper system to ensure com-
pliance with the applicable laws and that such systems are operating
effectively. It is to be noted that section 205 also requires a company
secretary to provide a report to the board about compliance with the
provisions of the said Act, the rules made thereunder and other laws
applicable to the company.
Further, SEBI issued the revised clause 49 that would be applica-
ble to all listed companies with effect from 1 October 2014. The revised
clause 49 requires senior management to make disclosures to the
board relating to all material financial and commercial transactions
where they have personal interest that may have potential conflict with
the interest of the company at large. The term ‘senior management’
shall mean members of the core management team. This will include
all members of management one level below the executive directors
including all functional heads.
11 Do undertakings face civil liability for risk and compliance
management deficiencies?
Compliance in general means compliance with laws and regulations.
These laws and regulations may stipulate penalties for non-compli-
ance of provisions. While there are no direct consequences for defi-
ciencies in risk and compliance management mechanisms, penalties
may be imposed if the same results in infringement of the said laws.
Below are a few examples of penalties imposed:
• As per section 88 of the Companies Act 2013, if a company fails
to maintain a register of members, the company and every officer
of the company in default shall be punishable with a fine ranging
from 50,000 rupees to 300,000 rupees. Further, as per section 92
of the Act, if a company fails to file a copy of annual return within
the prescribed timeline, the company shall be punishable with a
fine ranging from 50,000 rupees to 500,000 rupees.
• Section 13 of the Foreign Exchange Management Act 1999 imposes
a penalty on every person who contravenes any provision of this
Act, or contravenes any rule, regulation, notification, direction or
order issued in exercise of the powers under this Act, or contra-
venes any condition subject to which an authorisation is issued by
the Reserve Bank. The said penalty can equal up to three times the
sum involved in such contravention where the amount is quantifi-
able, or up to 200,000 rupees where the amount is not quantifia-
ble. Where such contravention continues, further penalties can be
levied of up to 5,000 rupees for each day after the first day during
which the contravention continues.
• Section 21 of the Maternity Benefit Act 1961 states that every
employer who does not comply with the provisions of the Act shall
be punishable with imprisonment of up to three months, with a
fine of up to 500 rupees or with both.
• Section 22A of the Minimum Wages Act 1948 imposes a penalty on
every employer who contravenes any provision of this Act or any
rule or order made thereunder with a fine of up to 500 rupees.
• Via its circular dated 15 June 2017, SEBI has imposed certain penal-
ties for non-compliance with certain provisions of the SEBI (Issue
of Capital and Disclosure Requirements) Regulations 2009, which
includes inter alia a penalty of 20,000 rupees a day for delay in
completion of bonus issue, until the date of actual compliance.
• Section 43A of the Competition Act 2002 imposes penalties on any
person or enterprise who fails to give notice to the commission
with respect to forming a combination. The penalty imposed may
extend to one per cent of either the total turnover or the assets,
whichever is the higher amount.
12 Do undertakings face administrative or regulatory
consequences for risk and compliance management
deficiencies?
Yes, undertakings do face administrative and regulatory consequences
for risk and compliance management deficiencies.
For example, under the Aircraft Rules 1937, powers have been
conferred on the central government and the Director General of
Civil Aviation (DGCA) to grant various licences, permits, certificates,
approvals, etc. At the same time, these rules empower them to suspend,
cancel, withdraw or modify them, if the document holder contravenes
32 Getting the Deal Through – Risk & Compliance Management 2018
© Law Business Research 2018
certain provisions of these rules or does not comply with the directions
issued by the DGCA or does not observe the terms and conditions of
the relevant document. This can be termed as administrative action.
Further undertakings in India have been governed by various reg-
ulators such as the RBI, SEBI, Insurance Regulatory and Development
Authority (IRDA), Pension Fund Regulatory and Development
Authority, National Bank of Agriculture and Rural Development,
Telecom Regulatory Authority of India, etc.
In addition to the penalties imposed by the RBI and SEBI as
explained above, please note that section 105B of the IRDA stipulates
the penalty for failure of an insurer to undertake life insurance business
and general insurance business in the rural or social sector. In such an
event, an insurer shall be liable to a penalty of up to 500,000 rupees for
each such failure and shall be punishable with imprisonment for up to
three years or with a fine for each such failure.
13 Do undertakings face criminal liability for risk and
compliance management deficiencies?
Yes, undertakings face criminal liability for risk and compliance man-
agement deficiencies in India. The Companies Act 2013 prescribes the
penalties for offences committed by companies. Under the Income Tax
Act 1961, the Customs Act 1962, the Central Sales Tax 1956 and the
Central Excise Act 1944, various tax-related crimes such as tax eva-
sion, smuggling, customs duty evasion, value added tax evasion and
tax fraud are prosecuted.
Further, the Environment (Protection) Act 1986 is an act under
which the central government is empowered to protect and improve
the quality of the environment. A significant statutory rule framed
under this Act is the Hazardous Waste (Management and Handling)
Rules 1989. It is to be noted that any violation of any rule framed under
the provisions of the said Act renders the offender liable for imprison-
ment for a term of up to five years with a fine, and if the contravention
continues beyond a period of one year, the term of imprisonment may
be increased by another five years.
14 Do members of governing bodies and senior management
face civil liability for breach of risk and compliance
management obligations?
Yes, the members of governing bodies and senior management face
civil liability for breach of risk and compliance management obliga-
tions. For example, section 35(1) of the Companies Act 2013 imposes
civil liability on every director, promoter or other senior management
personnel for any mis-statements in the prospectus.
15 Do members of governing bodies and senior management
face administrative or regulatory consequences for breach of
risk and compliance management obligations?
Yes. See question 12.
16 Do members of governing bodies and senior management
face criminal liability for breach of risk and compliance
management obligations?
The Companies Act 2013 prescribes punishments for offences commit-
ted by companies under the Act. Liability for an offence leads to con-
viction or punishment by way of imprisonment or fine or both, and the
punishment is inflicted on the company, the directors and other offic-
ers of the company who were accused and found guilty of the offence
by a court.
In most cases, the persons liable for the offences are ‘officers who
are in default’ and the said term is defined exhaustively under the Act.
For the purpose of any provision under that Act, an ‘officer of the com-
pany’ means any of the following:
• a whole-time director;
• key managerial personnel, who include:
• a managing director, or chief executive officer or manager
and, in their absence, a whole-time director;
• the company secretary; and
• the chief financial officer (CFO);
• where there are no key managerial personnel, such director or
directors as are specified by the board on its behalf who have given
their consent in writing to the board to such specification, or all of
the directors if no director is so specified;
ALMT Legal INDIA
• any person in accordance with whose advice, directions or instruc-
tions the board of directors of the company is accustomed to act,
other than a person who gives advice to the board in a professional
capacity;
• any person who, under the immediate authority of the board or
any key managerial personnel, is charged with any responsibil-
ity including maintenance, filing or distribution of accounts or
records, and who authorises, actively participates in, knowingly
permits or knowingly fails to take active steps to prevent, any
default;
• in respect of a contravention of any of the provisions of the Act,
any director who is aware of a contravention by virtue of receiving
any proceedings of the board or participating in such proceedings
without India objecting to the same, or where such contravention
had taken place with their consent or connivance; and
• in respect of the issue or transfer of any shares of a company, the
share transfer agents, registrars and merchant bankers to the issue
or transfer.
Section 439 of the Act provides that, notwithstanding anything con-
tained in the Code of Criminal Procedure 1973, every offence under
the Act shall be deemed to be non-cognisable within the meaning of
the Code of Criminal Procedure and that no court (as defined under
the 2013 Act) shall take cognisance of any offence under the Act that is
alleged to have been committed by any company or any officer thereof,
except on the complaint in writing of the companies registrar, a share-
holder of the company or a person authorised by central government.
In Anath Bandhu Samanta v Corporation of Calcutta (AIR 1952 Cal
759), the Calcutta High Court held that there is nothing in Indian law
that precludes the trial of a company for an offence except where it was
physically impossible for the company to have committed the offence
in question; mens rea is essential. Furthermore, if the only punishment
for the offence in question is imprisonment, a company can be tried for
that offence and, if found guilty, punished by imposing a suitable fine.
17 Is there a corporate compliance defence? What are the
requirements?
There is no such defence for corporate compliance under the Indian
laws. Every undertaking needs to comply with applicable laws. As is the
case under common law principles, ignorance of law is no justification
for non-compliance and corporate entities and their management bod-
ies are required to be aware of the various compliances demanded of
them.
18 Discuss the most recent leading cases regarding corporate
risk and compliance management failures?
The Satyam case
The fraud committed by Ramalinga Raju and Satyam Computers is the
biggest corporate fraud in India and it is also an example of failure of
corporate governance. On 24 June 1987, Satyam Computer Services Ltd
(popularly known as Satyam) was incorporated by the two brothers, B.
Rama Raju and B. Ramalinga Raju, as a private limited company with
just 20 employees for providing software development and consul-
tancy services to large corporations (the company went public in 1991).
In 1996, the company promoted three more subsidiaries including
Satyam Renaissance Consulting Ltd, Satyam Enterprise Solutions Pvt
Ltd and Satyam Infoway Pvt Ltd. In 2001, Satyam became the world’s
first ISO 9001:2000 company certified by Bureau Veritas Quality
International. In 2003, Satyam started providing IT services to World
Bank and signed a long-term contract with them. In 2005, Satyam
was ranked third in the Corporate Governance Survey by Global
Institutional Investors.
Suddenly, on 7 January 2009, B. Ramalinga Raju confessed to
more than 78 billion rupees worth of financial fraud and he resigned
as chairman of Satyam. His emotionally charged four and half page let-
ter of startling revelations shook the entire corporate world when he
admitted to cooking the accounts and inflating the figures by 50.4 bil-
lion rupees. He committed this fraud and tried to hush it up through an
abortive bid to purchase Maytas Infra, a company he had created and
that was run by his son Teja Raju. A week after his scandalous confes-
sion, Satyam’s auditors Price Waterhouse finally admitted that its audit
report was wrong as it was based on incorrect financial statements
provided by Satyam’s management. On 22 January 2009, Satyam’s
www.gettingthedealthrough.com 33
© Law Business Research 2018
Update and trends
The Companies Act 2013 has put a greater emphasis on corporate
governance measures through the different provisions that are
incorporated within it.
CFO Srinivas Vadlamani confessed to having inflated the number of
employees by 10,000. He told Criminal Investigation Department
officials interrogating him that this helped in drawing approximately
200 million rupees per month from the related but fictitious salary
accounts. Satyam had inflated the revenue of the company by infusing
false and fictitious sales invoices and shown the amount received and
deposited as fixed deposits in various scheduled banks.
The Sahara case
The Sahara Group was accused of failing to refund over 200 billion
rupees to its more than 30 million small investors that it had collected
through two unlisted companies of Sahara. In 2011, SEBI ordered
Sahara to refund this amount with interest to the investors, as the issue
was not in compliance with the requirements applicable to the public
offerings of securities. Later in 2014, Mr Subrata Roy, the chairman of
Sahara was arrested for the said fraud. His proposal to settle the matter
was rejected by the court and SEBI.
Punjab National Bank (PNB) fraud case
India’s second largest state-owned lender Punjab National Bank (PNB)
disclosed on 14 February 2018 that it was the victim of the country’s
largest bank fraud. PNB revealed that fraudulent transactions by bil-
lionaire jeweller Nirav Modi and related entities (ie, M/s Diamonds R
Us, M/s Solar Exports and M/s Stellar Diamonds) amounted to US$1.77
billion or over 110 billion rupees.
In a complaint to the Central Bureau of Investigation, PNB said that
Modi and the companies linked to him colluded with its officials to get
guarantees or letters of undertaking to help fund buyer’s credit from
other overseas banks. PNB alleged that the funds, ostensibly raised
for the purchase and sale of diamonds, were not used for that purpose.
Later, it was revealed that the fraud extended past PNB to other lenders
such as State Bank of India, Union Bank, Axis Bank Ltd and Allahabad
Bank, all of whom had exposure to the case. The preliminary investi-
gations showed two officials of the bank had fraudulently issued let-
ters of undertaking to the said firms without following the due process.
These fraudulent letters of undertaking were then transmitted across
the Society for Worldwide Interbank Financial Telecommunications
(SWIFT) messaging system, and based on these, credit was offered to
the said firms.
This case is the most recent classic example of risk and compli-
ance management failure by PNB and several bankers wonder how
the delinking of SWIFT from Core Banking Solution could have been
achieved without it being detected by the bank’s information technol-
ogy department. This suggests a possible breach of the security system
(eg, passwords and authentication) and the fact that the approval for
issuance of letters of undertaking was forged for such huge amounts
without it being captured in the system or red-flagged, indicates a
major failure of the internal control systems of PNB.
In light of the above, it is pertinent to note that a company’s sys-
tem of internal control reflects its control environment and should be
capable of responding quickly to evolving risks to the business aris-
ing from factors within the company and to changes in the business
environment. Internal controls are the core of a company’s corporate
governance practice and the main means of controlling, offsetting and
mitigating most types of risk, especially those associated with reckless
and fraudulent financial decisions.
19 Are there risk and compliance management obligations
for government, government agencies and state-owned
enterprises?
Yes, there are risk and compliance management obligations for gov-
ernment, government agencies and state-owned enterprises. The
Department of Public Enterprises (DPE) has issued mandatory govern-
ance guidelines to Central Public Sector enterprises and state-owned
enterprises.
INDIA ALMT Legal

For example, the DPE requires Central Public Sector enterprises
to submit quarterly progress reports with regard to compliance of cor-
porate governance guidelines. Further, the guidelines also require the
Administrative Ministries to consolidate the information received from
such enterprises and submit a comprehensive report on the status of
compliance of corporate governance guidelines to the DPE.
In addition to the above, the DPE also provides for certain other
policies to regulate risk and compliance management that include but
are not limited to personnel policies, vigilance policies, financial poli-
cies, corporate social responsibility, etc.
20 What are the key statutory and regulatory differences
between public sector and private sector risk and compliance
management obligations?
The introduction of the Companies Act 2013 has imposed certain
additional compliance requirements mandated for private companies
that, until then, were mandated only for public companies and private
companies that are subsidiaries of public companies. These include the
following:
• appointment of director to be voted individually;
• option to adopt principle of proportional representation for
appointment of directors; and
• the provisions pertaining to the ineligibility for appointment of
director are also extended to cover appointment or reappointment
of a director in a private limited company.
Certain provisions of clause 49 of the Listing Agreement are very spe-
cific with regard to risk and compliance management obligations for
public companies. Clause 49 I(D) of the Listing Agreement with the
stock exchanges requires companies to institute a code of ethics for the
board and senior management and affirm compliance to the same on
an annual basis. Although institution of the whistle-blower mechanism
is not mandatory at present, clause 49 II(D) requires an audit com-
mittee to review procedures for the receipt, retention and treatment
of complaints (including confidential and anonymous submissions by
employees) received regarding accounting, internal accounting con-
trols or auditing matters, providing for adequate safeguards against
victimisation of employees who avail of the mechanism and also
provide for direct access to the chairman of the audit committee in
exceptional cases. The stock exchanges’ corporate governance listing
standards require listed companies to incorporate the code of ethics for
directors and senior management and public disclosure of the code on
the company’s website. The guidelines changed focus away from com-
pliance toward a broader assessment of corporate efforts to create an
ethical and organisational culture.
Schedule IV, read with section 149(8) of the Companies Act 2013,
lays down the code for professional conduct for independent direc-
tors. The duties of an independent director elaborated in Part III of
Schedule IV include ascertaining and ensuring that the company has
an adequate and functional vigil mechanism and that the interests of
the persons using it are not harmed. The independent directors are also
entrusted with the task of reporting concerns over unethical behav-
iour, actual or suspected fraud or violation of the company’s code of
conduct or ethics policy. Such changes made by the Act with regard to
governance, transparency, disclosures, the position of the serious fraud
investigation office, etc, under section 211 of the Companies Act 2013 is
expected to make companies shift from being complacent to playing
compliant roles.
In particular, the amended guidelines require boards of directors
and executives to assume responsibility for the oversight and manage-
ment of ethics and compliance programmes. The provisions will help in
developing a valuable framework for the design of effective ethics and
compliance programmes.

Junia Sebastian jsebastian@almtlegal.com

Arindam Basu abasu@almtlegal.com
Richika LRS richika@almtlegal.com

No 2 Lavelle Road Tel: + 91 80 4016 0036

Bangalore 560001 Fax: + 91 80 4016 0001
India www.almtlegal.com

34 Getting the Deal Through – Risk & Compliance Management 2018

© Law Business Research 2018

Getting the Deal Through
Acquisition Finance
Advertising & Marketing
Agribusiness
Air Transport
Anti-Corruption Regulation
Anti-Money Laundering
Appeals
Arbitration
Art Law
Asset Recovery
Automotive
Aviation Finance & Leasing
Aviation Liability
Banking Regulation
Cartel Regulation
Class Actions
Cloud Computing
Commercial Contracts
Competition Compliance
Complex Commercial Litigation
Construction
Copyright
Corporate Governance
Corporate Immigration
Corporate Reorganisations
Cybersecurity
Data Protection & Privacy
Debt Capital Markets
Dispute Resolution
Distribution & Agency
Domains & Domain Names
Dominance
e-Commerce
Electricity Regulation
Energy Disputes
Also available digitally
Online
www.gettingthedealthrough.com
ISBN 978-1-78915-067-4
Enforcement of Foreign Judgments Ports & Terminals
Environment & Climate Regulation Private Antitrust Litigation
Equity Derivatives Private Banking & Wealth Management
Executive Compensation & Employee Benefits Private Client
Financial Services Compliance Private Equity
Financial Services Litigation Private M&A
Fintech Product Liability
Foreign Investment Review Product Recall
Franchise Project Finance
Fund Management Public M&A
Gas Regulation Public-Private Partnerships
Government Investigations Public Procurement
Government Relations Real Estate
Healthcare Enforcement & Litigation Real Estate M&A
High-Yield Debt Renewable Energy
Initial Public Offerings Restructuring & Insolvency
Insurance & Reinsurance Right of Publicity
Insurance Litigation Risk & Compliance Management
Intellectual Property & Antitrust Securities Finance
Investment Treaty Arbitration Securities Litigation
Islamic Finance & Markets Shareholder Activism & Engagement
Joint Ventures Ship Finance
Labour & Employment Shipbuilding
Legal Privilege & Professional Secrecy Shipping
Licensing State Aid
Life Sciences Structured Finance & Securitisation
Loans & Secured Financing Tax Controversy
Mediation Tax on Inbound Investment
Merger Control Telecoms & Media
Mining Trade & Customs
Oil Regulation Trademarks
Outsourcing Transfer Pricing
Patents Vertical Agreements
Pensions & Retirement Plans
Pharmaceutical Antitrust
© Law Business Research 2018